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CRYPTOGRAPHIC MODULAR EXPONENT I AT I ON METHOD PROTECTED 

AGAINST DPA ATTACKS 

In the field of the protection of cryptographic 
algorithms against DPA attacks, the invention concerns 
a method during which a modular exponentiation of the 
type x A d is carried out, with d an integer exponent of 
m+1 bits, scanning the bits of d from left to right in 
a loop indexed by i varying from m to 0 and calculating 
and storing in an accumulator (R0) , at each turn of 
rank i, an updated partial result equal to x A b(i) . b(i) 
corresponds _ to . the m-i + 1 most signif icant bits- of - the 
exponent d: b(i) = d m _>i. The number consisting of the 
bits . of weights v j to k of d is defined by: 

Modular exponentiation is one of the elementary 
operations used in many cryptosystems , such as RSA 
(Rivest, Shamir and Adleman) cryptosystems or DH 
(Diffie and Hellman) cryptosystems. For such 



applications, x is for example a message to be 
enciphered or deciphered, to be signed or 
authenticated, and d is for example a public key, a 
secret key or part of such a key. 

Since the invention of public key cryptography by 
Diffie and Hellman, many public key cryptosystems have 
been proposed. Amongst those which resist 

cryptographic analysis, the RSA cryptosystem is without 
any doubt the most widely used. Its intrinsic security 
lies in the difficulty in factorising large integer 
numbers. Despite intensive, researches, the problem of 
factorisation is still considered to be a significant 
problem, making the RSA cryptosystem secure for 
sensitive applications such as for example the 
enciphering of data or digital signature. 

Thus, rather than attempting to break the RSA 
algorithm at a mathematical level, cryptographs have 
become interested in the concrete implementations of 
the RSA cryptosystems. This has led to a huge increase 
in fault attacks and covert channel attacks, aimed at 
discovering a particular confidential information (such 
as for example keys or parts of keys) manipulated 
during one or other the steps implemented by the 
calculation device executing a cryptographic operation. 

The most widely known covert channel attacks are 
said to be simple or differential. Simple (SPA or 
differential (DPA) covert channel attack means an 
attack based on the measurement of a physical quantity 
from the outside of the device, whose direct analysis 
(simple attack SPA) or analysis according to a 



statistical analysis (differential attack DPA) makes it 
possible to discover information manipulated in the 
device. These attacks were in particular disclosed by- 
Paul Kocher (Advances in Cryptology - CRYPTO' 99, vol. 
1666 of Lecture Notes in Computer Science, pp. 388-397, 
Springer-Verlag, 1999) . 

Amongst the physical quantities that can be 
exploited for these purposes, it is possible to cite 
the execution time, the current consumption, the 
electromagnetic field radiated by the part of the 
component used for executing the calculation, etc. 
These attacks are based on the fact that, during the 
execution of an algorithm, the manipulation of a bit, 
that is to say its use by a particular instruction, 
leaves a particular impression on the physical quantity 
considered, according to the value of this bit and/or 
according to the instruction. 

There exist two families of implementations of 
exponentiation algorithms making it possible to 
evaluate the value of y = x A d mod N: the so-called right 
to left implementations and the so-called left to right 
implementations . 

In the left to right implementations, the bits of 
the exponent are scanned from the most significant bit 
to the least significant bit. In this second family of 
exponentiation algorithm there is in particular known 
the SAM algorithm (standing for Square and Multiply) 
and its variants such as sliding window algorithms. 
Compared with the so-called right to left algorithms, 
left to right algorithms require less memory and allow 



the use of precalculated powers x A i in order to 
accelerate the calculation of y. All the left to right 
algorithms have in common the use of an accumulator (or 
register) that is updated throughout the calculation in 
order to store the value of x A d m _>i mod N for decreasing 
values of i until the accumulator contains the final 
value y = x A d m . >0 = x A d mod N. d k - >:j is the word 
consisting of the bits of weight j to k of d. 

The general principle of the SAM algorithm is as 
follows. The bit of weight i of d is denoted 

d = (d m ,...,d Q ) 2 =XZo^'*"2 A ' '' the binar Y representation of the 
exponent d, with d ± e {0, l}. For each bit of d, the 
SAM algorithm stores in an accumulator (register RO) an 
updated result calculated from the recurrence equation 
x A d m _>i = (x A d m _ >i+1 ) 2 *x A di, with x A d m _ >m = x A d m , which is 
summarised by the following algorithm: 
Input: x, d = (d m/ ...,d 0 ) 2 
Output : y = x A d mod N 

RO <- 1; R2 <- x, i <- m 
as long as i > 0, do: 

RO <- ROxRO mod N 

if di = 1 then RO <- R0xR2 mod N 

i <- i-1 
end as long as 
return RO 

RO <- x means that the value of x is stored in 
the register RO . ROxRO means that the content of the 
register RO is squared. R0xR2 means that the content 
of the register RO is multiplied by the content of the 



register R2 . Finally, di->j refers to the bits of rank j 
to i of d. 

In order to guard against implementation attacks, 
it is known that it is necessary to make the algorithms 
random. In the case of the RSA cryptosystem, two types 
of count ermeasure are currently known for making the 
calculation of y = x A d mod N random. 

The first type of countermeasure consists of 
making the input data of the algorithm random. 

A first example of this first countermeasure 
consists of making the data item x random before 
carrying out the modular exponentiation, by adding to x 
a random term and making the calculations modulo 2 A k N, 
before a final modulo N: 

x<-x + rl.N , with rl a random number of k bits and 
make the calculations modulo (2 A k) .N, before a final 
reduction modulo N. This first countermeasure, 

described by P Kocher, has the advantage of being 
independent of the exponentiation algorithm. 

A second example of this first countermeasure 
consists of the making the exponent d random before 
carrying out the modular exponentiation, by adding" to 
it a random term: 

d <-d + r 2.(f>(N) , r2 a random number of k bits. 
Usually these two solutions are combined in order 

to perform the operation y = y mod N with y = x*d mod 
(2 k .N) . 

In a third example of this first countermeasure 

used alone, for example when x is the result of a 



probabilistic formatting (for example using the PSS or 
Probabilistic Signature Scheme function) , since in this 
case x is already masked and a direct calculation is 

made of y = x A rf mod N with d = d + r2.(j>(N) with r2 
random . 

Unfortunately, such a randomisation of the 
exponent d is limited to particular implementations, 
called CRT implementations, of the RSA cryptosystem 
since the value of Euler's constant § (N) is not 
generally known from the private exponentiation 
algorithm in its standard version (that is to say not 
CRT) . 

The second countermeasure consists of making the 
exponentiation algorithm itself random. The best 

putting into practice of the second countermeasure is 
the MIST algorithm of Walter. The MIST algorithm 
randomly generates a new addition chain for the 
exponent d in order to effect x A d mod N. In order to 
minimise the number of registers, the addition chain is 
carried out on the fly by means of an adaptation of an 
exponentiation algorithm based on division chains. 
Another example is an improved version of a sliding 
window algorithm (see Kouichi Itoh, Jun Yajima, 
Masahiko Takenaka and Naoya Torii, DPA count ermeasures 
by improving the window method CHES 2002, volume 2523 
of Lecture Notes in Computer Science, pages 3 03-317, 
Springer Verlag 2002) . Compared with the first 

countermeasure, this makes it possible to make the 
exponentiation random without needing to know <j>(N) but 



requires a secure division algorithm for calculating 
the division chains and causes not insignificant 
concerns about management of the calculations. 

The invention proposes a novel method for making 
random the execution of a modular exponentiation, for 
the purpose of guarding against differential attacks 
(DPA) , having the advantages of the two known 
countermeasures : as in the first countermeasure , the 
method according to the invention does not impose any- 
particular exponentiation algorithm and applies to any 
exponentiation algorithm, and as in the second 
countermeasure, in the invention, the algorithm itself 
is made random, not only the data that it manipulates. 
Thus the algorithm does not need to known (j) (N) and/or 
the public key e in an RSA exponentiation (the key e is 
often unavailable to the signature or deciphering 
algorithm) . 

The method according to the invention introduces 
the concept of auto-random exponentiation, meaning that 
the exponent d is used itself as an additional source 
of randomness in the exponentiation process. 

Thus the invention concerns a cryptographic 
method during which a modular exponentiation of the 
type x A d is carried out, with d an integer exponent of 
m+1 bits, by scanning the bits of d from left to right 
in a loop indexed by i decremented from m to 0 in steps 
of 1 and calculating and storing in an accumulator, at 
each turn of rank i, an updated partial result equal to 
x A b(i), b(i) being the m-i + 1 most significant bits of 
the exponent d . 
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The method according to the invention is 
characterised in that: 

- at the end of a turn of rank i(j) (i = i(0)) 
chosen randomly, a randomisation step El is performed 
during which: 

El: a random number z (z=b(i(j)) / 
z = b(i(j)).2 x , z = u) is subtracted from a part of the 
bits of d not yet used (di_i_ >0 ) in the method 

- then, after having used the bits of d modified 
by the randomisation step El, a consolidation step E2 
is performed during which: 

E2 : the result of the multiplication of the 
content of the accumulator (x A b(i)) by a number that is 
a function of x A z stored in a register (Rl) is stored 
(RO <- RlxRO) in the accumulator RO . 

From a practical point of view, during step El, 
the number z is subtracted from the content of a 
register in which the exponent d is initially stored, 
and the result of the subtraction is stored in the same 
register, and then the bits of b are continued to be 
scanned . 

So that the result of the exponentiation x A d " mod " N 
is correct at the end of the method, the randomisation 
step El must not modify the bits of d already used in 
the calculation (it will be recalled that the method 
uses a left to right algorithm). The index i(j) at 
which the randomisation El is carried out, chosen 
randomly, must be chosen so that the m-i(j)+l most 
significant bits of the register containing initially 



the exponent d remain unchanged during step El . This 
condition will be referred to hereinafter as a 
"consistency" condition . 

The essential idea of the invention is thus to 
use a chopping of the calculation of x A d mod N of the 
form: x A d = x A (d-z)*x A z (described in French patent 
application number 02 04117 (number to be confirmed) ) 
with z a random number used as a means of masking the 
exponent d. Preferably appropriate values of z are 
chosen such that x A z can be obtained easily from x A b 
already calculated moreover during the method. It 
should be noted that a totally random choice of z gives 
rise to an almost doubling of the calculation time. 

The method according to the invention applies 
independently of the left to right exponentiation 
algorithm. Moreover, the rank i(j) at which step El is 
performed is chosen so as to be random, and therefore 
the method itself is random, and not only the data that 
it manipulates. 

The method according to the invention is also 
effective in terms of space (it requires only one 
additional calculation register) and in terms of 
calculation time, as will be seen better subsequently 
in the example of the SAM algorithm. 

The method according to the invention is also 
easy to implement whatever the algorithm to which it is 
applied. It is not based on any group property and its 
implementation does not require previously knowing the 
order of the group in which the exponentiation is 
performed . 
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Finally, the method according to the invention 
can be used conjointly with other algorithm protection 
measures, such as the countermeasures disclosed by P 
Kocher and stated above . 
5 The randomisation step El can be performed on a 

single occasion during the method. A step El can also 
be performed several times, at the end of various turns 
of rank i(j) (that is to say at rank i = i(0), and then 
at rank i = i(l), and then finally at rank 

10 i = i(f)) chosen randomly between 0 and m. The idea is 
here to improve further the security of the method by 
using the equation: 

x A d = x A (d-zl-z2-. . . -zf ) x x A zl x x A z2 x ... x x A zf 

= x A ( ( (d-zl) -z2) - . . . -zf ) x ( (x A zl) x x A z2) x ... x x A zf 

15 It is possible to choose, at the start of the 

method, the random rank or ranks i(j) at which a 
randomisation El is performed. For example, at the 
start of the method, a predefined set {i(0), i(l), 
i(f)} of f + 1 (f being random or not) values of the 

2 0 index i for which it is wished to perform a 
randomisation El is determined. In this case, at each 
turn, it is decided or not to perform a randomisation 
El according to whether or not the current index i 
forms part of the predefined set. 

25 It is also possible to choose randomly at the 

start of each turn i to perform or not the 
randomisation step El. In this case, a Boolean 

variable p is for example used, drawn randomly at the 
end of each turn of index i . 
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Different embodiments of the invention will now 
be described, which differ from one another essentially 
by the embodiment of step El, and in particular by the 
choice of z and the choice of the part of d from which 
5 is subtracted. 

According to a first embodiment, it is chosen to 
perform the consolidation step only once at the end of 
the method. This makes it necessary to subtract z 
routinely from the least significant bits of the 
10 exponent d, so as to obtain a correct result at the end 
of the method. 

According to a first variant of this embodiment, 
z = b(i(j)) = d m - >i( j, is chosen for a chosen random 
number i(j) and, during the randomisation step El, 
15 b(i(j)) is subtracted from d, that is to say from the 
least significant bits of d. 

The choice z = b(i(j)) is particularly 

advantageous since x A b(i(j)) =x A d m _ >i(j) is already 
available in the accumulator at the end of the turn 
20 i(j) and therefore does not need to be calculated. The 
variable i(j) is chosen so that the bits of weight i(j) 
to m of the number d-b(i(j)) are equal to the bits of 
weight i(j) of the number d, so that the first m-i(j)+l 
turns of the calculation x A d are identical to the first 
25 m-i(j)+l turns of the calculation of the x A (d-b (i ( j ) ) ) 
(consistency condition). At the end of the turn i(j), 
d-z = d-b(i(j)) is calculated and the content of the 
accumulator x A b is stored in the register (El) . 
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In a particular example, a Boolean variable p is 
used to determine, at the end of each turn of index i, 
whether or not a randomisation is performed. If p 
takes an active value, then step El is performed: the 
number d is replaced, with the number d-b(i(j)) and 
x A b(i(j)) is stored. 

As in the conventional left to right algorithm, 
the accumulator RO is used to store the value of x A d m _>i, 
at each turn of index i. The register Rl is used for 
storing the product: rijX A d m ->i(j) . 

The whole applies to the known SAM algorithm, and 
the following algorithm I is obtained: 

Input: x, d = (dm, ■ . . ,d 0 ) 2 

Output : y = x A d mod N 

RO <- 1; Rl <-l; R2 <- x, i <- m 
as long as i > 0 , do: 

RO < - ROxRO mod N 

if di = 1 then RO <- R0xR2 mod N 

p <- R{0, 1} 

if ( (p = 1) and d 

i-i->o ^ d m _>i then 

d <- d - d m _>i 
Rl <- RlxRO mod N 
end if 
i <- i-1 
end as long as 
RO <- ROxRl mod N 
return RO 
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p <- R{0, 1} means that the value of p is chosen 
randomly in the set {0, l}. p is thus a random Boolean 
variable . 

The randomisation step El (d <- d - d m - >i(j) ; Rl <- 
5 RlxRO mod N) is performed only if p = 1 (that is to say 
if a randomisation must be performed) and if di ( j)-i- >0 > 

dm->i(j) . 

The condition di { j)_i_ >0 > d m - >i( j) means that the bits 
of weight 0 to i-1 of d are greater than. b(i(j)), 

10 b(i(j)) being equal to the bits of weight i(j) to m of 
d. This guarantees that the m-i + 1 most significant 
bits of d-b(i(j)) are identical to the m-i + 1 most 
significant bits of d, and therefore that the first 
m-i + 1 calculation turns of x A d are identical to the 

15 first m-i + 1 calculation turns of x A (d-b (i ( j ) ) ) . 

The "consistency" condition (di<j)-i- >0 > d m - >i(j) ) 
means that only the least significant bits of the 
exponent d are made random. In addition, it will be 
noted that the randomisation step d <-d - d m _ >i( j) 

20 modifies only the (m-i(j)+l) least significant bits of 
d. 

It should be noted that, in the algorithm I, as 
at the iteration i = i(j) the updating step d <- d - 
d m ->i does not modify the (m-i + 1) most significant bits 
25 of d, this step can be replaced by the equivalent step: 
di-i- >0 <- di_!_ >0 - d m _>i . 

According to a second variant of the first 
embodiment, z is chosen equal to g.b(i), with g a 
random number such that di ( j)-i- >0 •> g.d ra - >i(j) . in this 
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case the equation x A d = x A (d-z).x A z = x A (d- 
g.b(i) ) . (x A b(i) ) 9 . is used, and, from a practical point 
of view, in order to perform a randomisation El at the 
end of the turn of index i(j) : 

z = g.b(i) is calculated and the result is 
subtracted from the exponent d, 

- the register Rl is updated by multiplying its 
content by the content of the accumulator (x A b(i)) 
exposed to the power g. Which can in concrete terms be 
implemented by the instruction Rl <- RlxRO A g mod N. 

Preferably g = 2 T is chosen, t being a random 
integer. This considerably simplifies the calculation 
since the calculation of g.b(i) = g.d m - >i( j) amounts to a 
simple shifting of bits and the evaluation of (x A b(i)) A g 
mod N amounts to performing the calculation of x 
squared . 

Since multiplying by 2 T amounts to a shifting of 
bits, the instruction d <- d - 2 T .d m ->i which calculates 
d-g.b(i), can be replaced by d m _ >x <- d m . >T - d m . >± , or 
better by the equivalent instruction di-i- >T <- di-i_ >t - 

In addition, as for the other embodiments, it 
must be verified that, at the iteration i = i(j), di_i_ >0 > 
2 T .d m _>i. This condition of consistency can be replaced 
by an equivalent but more effective test: di-i- >x > d m -i. 

Preferably, x is chosen randomly in the set {0, 
• • • / T} . The delimiter T is chosen as the best 
compromise between the randomisation of the most 
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significant bits of d and the efficacy (in terms of 
calculation time in particular) of the calculation of 
the x squared. 

In the particular example of the SAM algorithm, 
the following algorithm I' is finally obtained: 
Input: x, d = (dm, ... # d 0 ) 2 
Output : y = x A d mod N 

RO <- 1; Rl <- 1; R2 <- x, i <- m 
as long as i > 0 , do : 

RO <- ROxRO mod N 

if di = 1 then RO <- R0xR2 mod N 
p <- R{0, 1} ; x <- R{0, . . . , T} 
if ((p = 1) and (di-i_> x > d m -i) ) then 
di-i^i <— di_i_^ T - d m _>i 
R3 <- RO 
as long as (x > 0) do: 

R3 <- R3 A 2 mod N; x <- x-1 
end as long as 
Rl <- RlxR3 mod N 
end if 
i <- i-1 
end as long as 
RO <- ROxRl mod N 
return RO 

One advantage of the algorithm I' is that the top 
half of d is partly randomised and consequently entropy 
(that is to say randomness) is added. On the other 
hand, an additional register R3 is necessary for 
calculating R0 A 2 T . 



Algorithms I and I' may be sufficient to protect 
the exponents in certain cases. For example, because 
of its construction, the RSA cryptosystem always 
exposes the most significant half of the private 
exponent d if the corresponding public exponent is 
small. Making random the most significant bits of d 
would therefore afford no protection for such an 
algorithm. 

However, for other algorithms and in other 
situations, making all the bits of d random would 
afford additional security. 

For this purpose, it is proposed, in a second 
embodiment, to choose z = b(i(j)) = d m ->i(j) for a random 
number i(j) and, during step El, b(i) is subtracted not 
from d but from some of the bits of d corresponding to 
the bits of d of weight i(j)-c(j) to i(j)-l, c(j) being 
a integer number such that i ( j ) >c (j ) >0 . This can be 
expressed by the following instruction: 

dm->i(j) -c(j) <- d m _>i(j) _ c( j) - d m ->i(j) 

Preferentially, as during step El of a 
randomisation to rank i(j), the bits of weight i(j) - 
c(j) to i(j) - 1 of d are modified and it is chosen 
only to perform one randomisation at a time, and it is 
chosen to perform a consolidation step at the end of 
the rank using the last bit of d modified during the 
previous randomisation step El (rather than at the end 
of the method) , that is to say after the evaluation of 
the partial result x A (d m - >i{j ) - c(j) ) mod N. 

This amounts to imposing the condition i(j+l) < 
i(j) - c(j), i(j+l) being the index of the following 
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randomisation. This makes it possible not to use 
additional registers to store the bits of the exponent 
that were modified during a previous randomisation. 
Equally, i(j) - c(j) < 0 is chosen, so that i(j) - c(j) 
can be used to define the rank of a bit of d for 
calculating x A (d m - >i( j) _ c(j) ) mod N. 

These two conditions can be made concrete by the 
use of a Boolean semaphore a which indicates whether an 
update is authorised or not: a has an inactive value 
as long as i > i(j) - c(j) and is activated when i < 
- c(j). It also becomes unusable as soon as i(j) 
- c(j) < 0. 

The (m-i(j)+l) most significant bits of d remain 
unchanged during the randomisation step if (consistency 
condition) : 

di(j)-i-*i(j)- c (j) ^ d m->(j) 

(i(j)-l)-(i(j)-c(j) ) > m-i(j) c(j) >m-i(j)+l 
According to a first variant of the second 
embodiment, c(j) is chosen equal to m-i(j)+l. With the 
condition i(j) > c(j) > 0, the condition c(j) > m - i(j) 
+ 1 is satisfied if 2.i(j) > m+1. 

The modified SAM algorithm according to this 
variant can therefore be written (algorithm II) : 
Input: x, d = (d ra , . . . ,d 0 ) 2 
Output : y = x A d mod N 

R0 <- 1; Rl <-l; R2 <- x, 
i<-m;c<--l;<y<-l 
as long as i > 0, do: 

R0 <- ROxRO mod N 
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if di = 1 then RO <- R0xR2 mod N end if 
if (2i > m+1) and (a=l) then c <- m-i + 1 

if not a = 0 

end if 

5 p <- R{0, 1} 

e <- p and (di_i _>i_ c > dm^i) and a 
if s = 1 then 

Rl <- RO; <r <- 0 
di-i -> i_c <- di_i _> i_ c - d m ^>i 
10 end if 

if c = 0 then RO <- ROxRl mod N; a <- 1 
end if 

c < - c-1; i < - i-1 
end as long as 

15 return RO 

It should be noted that algorithm I corresponds 
to algorithm II in the case where c(j) = i(j) for any 
j. It should also be noted that, in algorithm II, the 
consistency condition (d i(j ) -i_> i( j) - c <j) > d m ^ i(j) ) is 

20 satisfied during the first part of the algorithm, 
considering approximately that di (j )- 1 _ >i( j ) . c{j) and d m ^ i{j) 
are random numbers of (m-i(j)+l) bits. It should be 
noted, in this algorithm, that all the bits of the 
exponent are randomised. 

25 According to a second variant of the second 

embodiment, c(j) is chosen randomly and between i(j) 
and m-i ( j ) +1 . 

It was seen previously that the condition c(j) > m 
- i(j) +1 must be satisfied. By posing c(j) = m - 
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i(j) + 1 + v(j), it is therefore necessary to satisfy 
v(j) > 0. Moreover, with the condition i(j) > c(j) > 0, 
there comes 2.i(j) > m+l+v(j). Therefore the greatest 
possible value for v(j) is 2.i(j)-m-l and therefore, as 
5 v(j) > 0, the parameter c(j) = m-i ( j ) + l+v ( j ) can take 
any value in the set {m-i(j)+l, . .., i(j)}. The 
algorithm II can then be generalised by choosing c(j) 
random in the set {m-i(j)+l, i(j)}. 

In the particular example of algorithm II this 
10 amounts to replacing the instruction: 

if (2i > m+1) and (a = 1) then c <- m-i + 1 

by the instruction: 

if (2i > m+1) and (a=l) then c <- R{m-i + l, i} 
which gives the following algorithm III: 
15 Input: x, d = (d m/ ... / d 0 ) 2 

Output : y = x A d mod N 

R0 <- 1; Rl <- 1; R2 <- X, 

i <- m; c <- -1; a <- 1 
as long as i > 0 , do: 
2 0 R0 <- ROxRO mod N 

if di = 1 then R0 <- R0xR2 mod N end if 
if (2i > m+1) and (a = 1) 

then c <- R{m-i+l / i} 
if not a = 0 

25 end if 

p <- R{0, 1} 

e <- p and (di_i .^.c ^ d m ->i) and a 
if 6 = 1 then 
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Rl <- R0; a <- 0 
di-i -> i-c <- -> i- c - d m _ > i 

end if 

if c = 0 then RO <- ROxRl mod N; a <- 1 
5 end if 

c <- c-1; i <- i-1 
end as long as 
return RO 

A large value for v(j) increases the probability 

10 of success for the consistency condition (and therefore 
the choice of a randomisation) . On the other hand, 
this also reduces the possible values of the index i 
satisfying the condition 2.i(j) > m+l+v(j). 

The frequency of occurrence of the value p = 0 of 

15 the Boolean variable p is a parameter of the method 
making it possible to choose the best compromise 
between performance and security, according to the 
application envisaged: the more randomisation steps are 
performed, the greater the detriment to the total 

20 calculation time; conversely, the fewer randomisation 
steps are performed, the more attacks by exhaustive 
search are facilitated. 

A good means for minimising the cost of the 
additional operations consists of slightly modifying 

2 5 the random number generator producing the number p so 
that, when the Hamming weight of d-z (z can have 
different values as a function of b(i), according to 
the embodiment envisaged) is lower than the Hamming 
weight of d, p has a greater probability of equalling 
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1, and vice versa. With this trick, the algorithm will 
tend to select the case having the lowest Hamming 
weight, that is to say the most rapid branch. 

It should be noted only that this algorithm 
5 cannot always select the most rapid branch, otherwise 
it would become deterministic and therefore easily 
attackable . 

According to a third embodiment of the invention, 
a random number u of v bits is chosen at the start of 
10 the method and x A u is stored in the register Rl . The 
number u is preferably modified several times during 
the method, in order to increase the random factor in 
the method. 

Then, during the calculation, for a given rank 
15 i(j), it is wondered, for a packet w of v bits of d 
such that w>u, whether the calculation x A w is more 
expensive (in terms of calculation time) then that of 
x A (w-u) *x A u. 

To reply to this question, it suffices to 
20 determine whether H (w) > H(w-u) +1. H(w) is the 
Hamming weight of w and represents the cost of the 
operation x A w_. H(w-u) is the Hamming weight of x A (w-u) , 
representing x A (w-u). The term w + 1" represents the 
cost of the multiplication of x A (w-u) by x A u (x A u also 
25 being stored) . 

If the calculation of x A w is less expensive than 
the calculation of x A (w-u)*x A u, then the method is 
continued. Otherwise, if the calculation of x A w is more 
expensive than the calculation of x A (w-u)*x A u, then the 
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packet w of bits of d is replaced by the number w-u. 
The consolidation step (here a multiplication by.x A u, 
which is represented by the operation RO <- ROxRl mod 
N) will be performed when all the modified bits of d 
5 have been used. 

Compared with the two previous embodiments 
described, this third embodiment has the advantage of 
being faster since, in order to effect a randomisation, 
the most rapid path (the least expensive) is chosen 
10 each time. Thus it is shown experimentally that the 
complexity of this method is approximately 1.4. The 
complexity is the average number of multiplications of 
contents of registers performed for each bit of the 
exponent d. The complexity of an unprotected SAM 
15 algorithm is 1.5; the complexity of the methods 
according to the first or second embodiments of the 
invention is for its part slightly greater than 1.5. 

Moreover, in this third embodiment, the source of 
randomness (the number u) is external to the method. 
2 0 Finally, the resources (in particular the number of 
registers) used are the same. 

This third embodiment can be represented 
concretely by the following algorithm IV: 
Input: x, d = (d m/ ... / d 0 ) 2 

25 Parameters: v, k 

Output : y = x A d mod N 

RO <- 1; R2 <- x; i <-m; L = { } 
as long as i > 0, do: 

RO <- ROxRO mod N 
30 if di = 1 then RO <- R0xR2 mod N end if 



if i = m mod ((m+l)/k)) then a<-l end if 
if a = 1 and L = { } then 

(modification of the number u during the method) 
G <- 0: U <- R {0, . .., 2 v -l}; 

Rl = x A u mod N 
end if 
w <- di^i-v+i 
h <- H(w) 

if w > u then A < - w-u; h A <- 1 + H (A) 
if not h A <- v+2 

end if 

p <- R{0, 1} 

if [ (a=0) A(i-v+l>0) ] a 

[(h>h A ) or ((p=l) and (h=h A ) ) ] then 
(it is chosen to effect if (w-u) ) 

di->i- v +i <- A; L <- L U {i-V+l} 
end if 

if (i s L) then 
R0 <- ROxRl mod N 
L <- L\{±} 
end if 
i <- i-1 
end as long as 
return R0 

In this example, the set L contains the list of 
indices for which a consolidation step must be 
performed. The instruction "if di = 1 then R0 <- R0xR2 
mod N end if" is the conventional instruction of an SAM 
algorithm, performed for each value of i . 
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The exponent d is here divided into k blocks, of 
identical sizes if m+1 is divisible by k or of 
identical sizes to within one unit otherwise. 

At each start of a block (that is to say for i = 
m mod ( (1 + 1) /k) ) , the variable a is set to 1. Next, 
when a is equal to 1, it is necessary to wait for the 
set L to be empty before performing a new randomisation 
set. At each consolidation step, a corresponding index 
i(j) is removed from the set L (instruction L <- 
L\{i}). When the set L is empty, a new value of u can 
be chosen and x A u is calculated by means of a 
conventional SAM algorithm using the registers Rl and 
R2 . 

At the middle of each block (a = 0) , one or more 
randomisation steps are performed, when h>h A or (p=l and 
h = h A ) , and on each occasion (instruction L <- Lu {i- 
v+l}) the index i(j)" v+1 at which it will be necessary to 
perform a consolidation step is stored. It is 

therefore necessary for i-v+1 to be a valid 
consolidation index, that is to say i-v+1 >0 
(consistency condition) . At each randomisation step, 
if h > h A , it " is chosen to perform the operation x A (w- 
u)*x A u, which is less expensive, and the bits of d are 
modified accordingly (di_ >;L _ v+1 <- A) . If h < h A , it is 
chosen to effect x A w, which is less expensive, and d is 
not modified. If h = h A , it is chosen randomly (p = 0 
or 1 random) to effect x A (w-u)*x A u or x A w. 
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By way of indication, the average number of 
modular multiplications necessary for performing an 
exponentiation of length 1024 with the SAM algorithm, 
protected or not, is given: 
5 • SAM without protection: 1536 multiplications 

• SAM protected by adding a multiple of O(n) 
(r.O(n) with r of 64 bits) added to the 
exponent d (prior art) : 153 6 + 96 
multiplications 

10 • SAM protected according to algorithm II or III: 

1536 + 10 multiplications 

• SAM protected according to algorithm I': 1536 + 
512 multiplications. p, p being the average 
value of p 

15 • SAM protected according to algorithm IV: 1443 

multiplications 
It is seen through these examples that a 
protected algorithm according to the invention is very 
effective, in terms of multiplications performed (and 
20 therefore calculation time) . 



